Squeeze vulnerable to CVE-2010-2943 (xfs+NFS unlinked inode access)
On Wed, 16 Feb 2011, Pascal Hambourg wrote:
> Johan Grönqvist a écrit :
> > 2011-02-15 22:46, Kelly Dean skrev:
> >> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-2943 was
> >> published Sept 30, 2010, and says that Linux 2.6.32.5 is vulnerable.
> >> Squeeze uses 2.6.32-5, built on Jan 12, 2011. Is Squeeze's kernel
> >> fixed, or does it have the vulnerability?
...
> > The updates to the 2.6.32 kernel thus seems to be incorporated into the
> > version in squeeze. The page you refer to lists 2.6.32.20 as vulnerable,
> > but no higher versions of 2.6.32, and as 2.6.32.28 appears to be
> > incorporated in squeeze, it seems that squeeze might not be vulnerable.
>
> I do not know if 2.6.32 was vulnerable either, but looking at upstream
> kernel changelogs it seems that the fix was not backported to any
> upstream -stable (now -longterm) release older than 2.6.35, including
> 2.6.32. So if upstream 2.6.32 was vulnerable, 2.6.32.28 still is.
http://security-tracker.debian.org/tracker/CVE-2010-2943
It is supposed to be vulnerable.
Upstream is sitting on backports of this one for some reason, because it is
not on any stable or longterm kernel as far as I can see.
RedHat fixed this one:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-2943
Ubuntu also did:
http://www.ubuntuupdates.org/packages/show/199704 (Version: 2.6.32-27.49)
--
"One disk to rule them all, One disk to find them. One disk to bring
them all and in the darkness grind them. In the Land of Redmond
where the shadows lie." -- The Silicon Valley Tarot
Henrique Holschuh
Reply to: